Targeting Tomcat: Ongoing Threats Uncovered

Summary

CRIL came across a blog published by AquaSec that highlights a recent discovery by researchers regarding a new attack campaign targeting Apache Tomcat servers. According to the report, it took just 30 hours for attackers to exploit a newly identified vulnerability, raising serious concerns for workloads relying on Tomcat. After gaining initial access, the attackers upload encrypted and obfuscated payloads to establish backdoors and maintain persistence. They then deploy two malicious binaries disguised as kernel processes to further exploit the compromised server. The attack infrastructure appears to be relatively new, with code fragments suggesting potential links to a Chinese-speaking threat actor.

Technical Analysis

chnical Analysis A recent attack campaign has been observed targeting Apache Tomcat servers, with attackers deploying encrypted payloads capable of running on both Windows and Linux environments. The intrusion begins with a brute-force attempt using a Python script that tests common usernames and weak passwords—such as “Tomcat” with “123456”—on the Tomcat management console.

Once access is gained, two JavaServer Pages (JSP) files are uploaded. The first acts as a backdoor, enabling remote code execution by decrypting and loading Java classes via AES encryption using a fixed key. The second script ensures persistence and privilege escalation. It attempts to download and run a Windows executable named “os.s”; if unsuccessful, it assumes a Linux system and executes a shell script instead.

This Linux shell script, hosted on the domain “dbliker.top” (registered in February 2025), goes through multiple stages of decoding, adjusts file permissions, executes, and self-deletes to evade detection. Another version of the attack drops an additional script, “ldr.sh”, that harvests SSH keys and scans the network to spread further within compromised systems. Both scripts ultimately download and execute a packed ELF binary called “app”, which expands from 2.6 MB to 8.6 MB upon unpacking. The binary checks for root access and, if granted, runs CPU optimization routines to enhance cryptomining performance.

Behavioral analysis using tools like “strace” revealed tactics such as anti-debugging, memory mapping, spawning new threads, and initiating network communication on port 58493. The binary also copies itself to the “/opt/” directory and deletes the original file to avoid detection. During runtime, the malware mimics legitimate kernel processes like “sd-pam” and “cpuhp/0]”, then drops a modified version of itself with a different hash to bypass signature-based detection. It runs cryptominers in the background, connecting to mining pools such as “gulf.moneroocean[.]stream” and “auto.c3pool[.]org”.

A deceptive technique used by the attackers includes serving hidden payloads behind fake 404 error pages. For example, visiting “hxxps://www.dbliker[.]top/w” returns what looks like a missing page, but the payload is embedded in the HTML source. Additionally, some comments in the malware’s code are written in Chinese, referencing script functions and file actions. These could be authentic or possibly intended to mislead analysts, as the rest of the code lacks any consistent linguistic indicators.

Recommendations

• Use complex, unique passwords for all admin interfaces and disable default credentials. Implement multi-factor authentication (MFA) to reduce the risk of brute force attacks.

• Keep all software, including Apache Tomcat and underlying OS components, updated with the latest security patches. Timely updates help close known vulnerabilities before they can be exploited.

• Limit access to management interfaces using firewalls or IP whitelisting. Continuously monitor logs and network traffic for unusual behavior to detect and respond to threats early.

Conclusion

The campaign demonstrates how quickly attackers can exploit weak configurations and default credentials in widely used platforms like Apache Tomcat. Through a combination of stealthy payloads, privilege escalation, and resource hijacking for cryptomining, the attackers effectively compromise both Linux and Windows systems. The use of misleading tactics and hidden scripts makes detection difficult, emphasizing the importance of proactive monitoring and hardening of server environments.